Commit Graph

49 Commits

Author SHA1 Message Date
Brian Haley
f31cfb2ef9 support image registries with authentication
Based on spec in openstack-helm repo,
support-OCI-image-registry-with-authentication-turned-on.rst

Each Helm chart can configure an OCI image registry and
credentials to use. A Kubernetes secret is then created with these
info. Service Accounts then specify an imagePullSecret specifying
the Secret with creds for the registry. Then any pod using one
of these ServiceAccounts may pull images from an authenticated
container registry.

Change-Id: Iebda4c7a861aa13db921328776b20c14ba346269
2022-07-20 14:28:47 -05:00
Gage Hugo
a55f3a5aa2 Fix helm3 compatability
The prometheus-kube-state-metrics chart currently fails to lint
with helm3 due to an extra "-" character. This change removes
the extra dash character in order to allow us to link and build
the chart via helm v3.

Change-Id: Ice1661b8e52fb7e2293d8b03a19e8e7ad43078ca
2021-09-08 10:58:06 -05:00
Chris Wedgwood
25d2b06c16 [kube-state-metrics] Update to make current
Update image to a version appropriate for current Kubernetes versions,
adjust RBAC appropriately.

Change-Id: I6c7835cb18737f98e37a433bde8fd232d6f5479e
2020-10-04 21:43:25 +00:00
Andrii Ostapenko
824f168efc Undo octal-values restriction together with corresponding code
Unrestrict octal values rule since benefits of file modes readability
exceed possible issues with yaml 1.2 adoption in future k8s versions.
These issues will be addressed when/if they occur.

Also ensure osh-infra is a required project for lint job, that matters
when running job against another project.

Change-Id: Ic5e327cf40c4b09c90738baff56419a6cef132da
Signed-off-by: Andrii Ostapenko <andrii.ostapenko@att.com>
2020-07-07 15:42:53 +00:00
Andrii Ostapenko
83e27e600c Enable key-duplicates and octal-values yamllint checks
With corresponding code changes.

Change-Id: I11cde8971b3effbb6eb2b69a7d31ecf12140434e
2020-06-17 13:14:30 -05:00
Gage Hugo
d14d826b26 Remove OSH Authors copyright
The current copyright refers to a non-existent group
"openstack helm authors" with often out-of-date references that
are confusing when adding a new file to the repo.

This change removes all references to this copyright by the
non-existent group and any blank lines underneath.

Change-Id: I1882738cf9757c5350a8533876fd37b5920b5235
2020-05-07 02:11:15 +00:00
diwakar thyagaraj
ebfcec03e2 Enable Docker default Apparmor for all Prometheus init Containers
Change-Id: I036882f7e443d3494e3fb38b2d5ded4bfa11a9b1
Signed-off-by: diwakar thyagaraj <diwakar.chitoor.thyagaraj@att.com>
2020-05-06 17:18:16 +00:00
Chris Wedgwood
a23de914ce prometheus-kube-state-metrics; expose readiness probe via HTK
On larger clusters the default timeout of 1s isn't enough.  Use HTK to
expose settings and adjust defaults to be suitable for larger
clusters.

Change-Id: I2336c64d20fe689a5c7f22e8fbd170a27b1a1045
2020-02-25 17:36:08 +00:00
diwakar thyagaraj
17592f54ae Enable Docker default Apparmor for all Prometheus Containers
Change-Id: I97fc39e52b36fc0be84abd049fdbce1e7026107d
Signed-off-by: diwakar thyagaraj <diwakar.chitoor.thyagaraj@att.com>
2020-02-18 14:46:09 +00:00
Tin Lam
c199addf3c Update apiVersion
This patch set updates and tests the apiVersion for rbac.authorization.k8s.io
from v1beta1 to v1 in preparation for its removal in k8s 1.20.

Change-Id: I4e68db1f75ff72eee55ecec93bd59c68c179c627
Signed-off-by: Tin Lam <tin@irrational.io>
2020-01-09 08:59:48 +00:00
Sphicas, Phil (ps3910)
d607caf6e1 Prometheus fix label mismatch for netpol
Ensures that the label selectors match the labels actually applied to
the pods, to allow network policies to be applied correctly.

prometheus-kube-state-metrics deployment:
    application=kube-state-metrics

prometheus-process-exporter daemonset:
    application=process_exporter

Change-Id: I964bac9e85db28c8af926158f13c99883029ac84
2019-10-19 00:06:09 +00:00
Steve Wilkerson
c9acad238c Update Kubernetes version to 1.16.2
This updates the kubeadm and minikube Kubernetes deployments to
deploy version 1.16.2

Change-Id: I324f9665a24c9383c59376fb77cdb853facd0f18
Signed-off-by: Steve Wilkerson <sw5822@att.com>
2019-10-16 21:54:53 +00:00
Tin Lam
aa2ce5fef4 Add default netpol to LMA charts
Change-Id: I86389085e922848a833d8787573e0b6be843ace4
Signed-off-by: Tin Lam <tin@irrational.io>
2019-09-30 23:40:15 +00:00
Steve Wilkerson
b4b1dd9528 Add missing affinity keys to chart pod specs
This adds the affinity key to the pod spec for the grafana,
nagios, kube-state-metrics, and openstack-exporter charts as it
was previously missed

Change-Id: Ifefa88d7f33607b4d595effa5fbf72f3387e5081
Signed-off-by: Steve Wilkerson <sw5822@att.com>
2019-06-13 19:15:42 +00:00
RAHUL KHIYANI
0ae22f4c1c prometheus-kube-state-metrics: Fix security context
This PS fixes the application name to holistic manner

Change-Id: Ib68c6fc114962fd53a5fcd2ce9e79bfefd5d94a3
2019-04-22 10:29:33 -05:00
Pete Birley
2abf62ff4d OSH-Infra: Add emptydirs for tmp
This PS adds emptydirs backing the /tmp directory in pods, which
is required in most cases for full operation when using a read only
filesystem backing the container.

Additionally some yaml indent issues are resolved.

Change-Id: I8b7f1614da059783254aa6efc09facf23fca3cad
Signed-off-by: Pete Birley <pete@port.direct>
2019-04-20 20:50:59 +00:00
Rahul Khiyani
edb24bd537 prometheus-kube-state-metrics: Add container security context
This adds the container security context to set
readOnlyRootFilesystem to true

Change-Id: I1cc81e2284dbbe94739fd498ccfd3e0ee96dfdbd
2019-03-22 14:02:08 +00:00
Steve Wilkerson
84f30ec103 Add release-annotation to pod spec, add missing annotations
This adds the release-annotation to the pod spec for the charts in
openstack-helm-infra. This also adds missing configmap annotations
to charts in openstack-helm-infra

Change-Id: Ie23f0c16a7a21d3929e98928db2bbcef69ae6490
2019-03-21 09:10:48 -05:00
Zuul
d6996b8004 Merge "Add ingress network policy to kube-state-metrics and openstack-exporter" 2019-03-10 21:13:55 +00:00
Meg Heisler
2d36d5f7ce Add ingress network policy to kube-state-metrics and openstack-exporter
This adds ingress network policies to kube-state-metrics and
openstack-exporter using the helm-toolikit template. It also
add openstack-exporter to the network policy jobs.

Change-Id: I3bfc2f1e8a35c09e577a046ebd52346de95e5745
2019-03-07 14:12:14 -06:00
Rahul Khiyani
5b513d333f readOnlyRootFilesystem: true for Prometheus exporters charts
Fix for adding readOnlyRootFilesystem flag at pod
level

Change-Id: I3d81f9dca7e1bce0134a39a96b96ef7712d28d84
2019-03-07 17:10:39 +00:00
Zuul
754758e8a7 Merge "Kube-State-Metrics: Add pod/container security context" 2019-01-05 03:14:11 +00:00
Chris Wedgwood
0c4e37391f 'NOP' cleanup for more consistent white-space use in charts
Where we have the style '{{ ...' we should use the style '... }}'.

Change-Id: Ic3e779e4681370d396f95d3804ca27db5b9d3642
2019-01-03 22:45:49 +00:00
Steve Wilkerson
4d50e6fa7a Kube-State-Metrics: Add pod/container security context
This updates the kube-state-metrics chart to include the pod
security context on the pod template. This changes the pod's
user from root to the nobody user instead

This also adds the container security context to explicitly set
allowPrivilegeEscalation to false

Change-Id: I17748b299a6e7a394cae63a0e713c49fbf68b4eb
2019-01-03 16:08:22 -06:00
Pete Birley
bb3ff98d53 Add release uuid to pods and rc objects
This PS adds the ability to attach a release uuid to pods and rc
objects as desired. A follow up ps will add the ability to add arbitary
annotations to the same objects.

Change-Id: Iceedba457a03387f6fc44eb763a00fd57f9d84a5
Signed-off-by: Pete Birley <pete@port.direct>
2018-09-13 05:35:35 +00:00
Jean-Philippe Evrard
bf069b2311 Revert "Update OSH Author copyrights to OSF"
This reverts commit 178aa271a4.

Change-Id: I38a52d866527dfff2689b618e055f439bc248c13
2018-08-28 17:25:54 +00:00
Matt McEuen
178aa271a4 Update OSH Author copyrights to OSF
This PS updates the "Openstack-Helm Authors" copyright attribution
to be the "OpenStack Foundation", as decided in the 2018-03-20
team meeting:
http://eavesdrop.openstack.org/meetings/openstack_helm/2018/openstack_helm.2018-03-20-15.00.log.html

No other copyright attributions were changed.

Change-Id: I1137dee2ae5728771835f4b33fcaff60fcc22ca9
2018-08-26 17:17:06 -05:00
Seungkyu Ahn
a430533e6a Quoting node_select_value in Ingress Controller
In most cases, the ingress controller's nodeSelector key and value
are "node-role.kubernetes.io/ingress" and "true".
Using quote to treat the nodeSelector value as a string.

Change-Id: Ie1745629b90795e4d888d85f35565e6d6350e09b
2018-08-01 02:39:05 +00:00
Steve Wilkerson
cb7bf2c0b3 Add missing readiness probes to openstack-helm-infra charts
This adds missing readiness probes to the following charts in
openstack-helm-infra: elasticsearch, fluent-logging, kibana,
nagios, prometheus-kube-state-metrics, prometheus-node-exporter,
and prometheus-openstack-exporter

Change-Id: I6a2635b08667c31eadb1b05ba848c658935a17e5
2018-06-26 12:25:36 +00:00
Zuul
ccc0da5509 Merge "Kube-State-Metrics: Change default image used" 2018-06-19 17:07:43 +00:00
Zuul
59cf366ad4 Merge "Kube-state-metrics: Update resources in clusterrole" 2018-06-14 16:24:35 +00:00
Steve Wilkerson
5fe73e6e58 Kube-State-Metrics: Change default image used
This changes the default image for kube-state-metrics to use the
bitnami image instead of the coreos image. This allows us to
override the image entrypoint, as the Alpine based image used
previously did not easily allow us to do so. Adding this also
makes creating a common prometheus exporter deployment template
easier, as it reduces the functional differences between exporter
charts and templates

Change-Id: I6c4aac36f563fcb15f52640bc6f9913b45b4358a
2018-06-14 10:04:03 -05:00
Pete Birley
fa629cdbbd Daemonsets: Use current kubernetes daemonset api version
This PS moves to use the current ga version for kubernetes daemonsets,
additionally any remaining deployments that were using the
`extensions/v1beta1` have been updated to `apps/v1`.

Story: 2002205
Task: 21735

Change-Id: If9703162dc472af1e6096bf2b9062802fd5ce8ab
Signed-off-by: Pete Birley <pete@port.direct>
2018-06-13 21:53:18 +00:00
Steve Wilkerson
9325f3d870 Kube-state-metrics: Update resources in clusterrole
This updates the resources and the apigroups in the clusterrole
for kube-state-metrics to reflect the additional collectors that
are included in the image we use

Change-Id: I4b1c1779598e6488e4e1c8def18ad767d5d5fab4
2018-06-12 17:26:01 -05:00
Steve Wilkerson
e166432a98 Add manifest for image_repo_sync job
This ps proposes adding a common template for the image_repo_sync
jobs for consumption by the charts

Change-Id: I48476d1e4fd94bd1b08b13b46983e3d999f8d8ca
2018-04-19 14:10:08 +00:00
Steve Wilkerson
aaffc4caf0 OSH-Infra: Update labels for chart components
This ps adds more granular node selectors for the charts in osh
infra to match what is currently done in osh

Change-Id: I8957a95053b9fb3ea329fd37ff049cd223a7695d
2018-04-13 08:44:33 -05:00
Pete Birley
b9336ca613 Helm-Toolkit: Kubernetes Entrypoint, simplify image dependencies
This PS simplify the logic for dyanmicly merging the image management
depenencies into pod deps when active.

Change-Id: I0cf6c93173bc5fbce697ac15be8697d3b1326d0a
2018-04-13 08:42:37 -05:00
Zuul
eb3cbf0f95 Merge "yaml cleanup: trim multiline strings" 2018-03-10 07:01:35 +00:00
Chris Wedgwood
3a8c00764c yaml cleanup: trim multiline strings
Change-Id: I7e8f423be2efb84f3116258beca805265ca388f7
2018-03-08 20:18:53 +00:00
Steve Wilkerson
1929cdcbef kube-state-metrics: use endpoints section and lookups to set port
This PS moves kube-state-metrics to use the endpoints section and
lookups to set the ports it serves on.

Change-Id: Icb4757a59852e508148ca9f1e682c722e40042c9
2018-03-05 10:39:28 -06:00
Pete Birley
3c101a6324 dependencies: move dynamic common deps under a 'dynamic.common' key
This PS moves existing dynamic common dependencies under a
'dynamic.common' key to simplify the yaml tree.

Change-Id: I4332bcfdf11197488e7bd5d8cf4c25565ea1c7b6
2018-02-24 17:42:10 -05:00
Pete Birley
e0c688d7ee dependencies: move static dependencies under a 'static' key
This PS moves static dependencies unser a 'static' key to allow
expansion to cover dynamic dependencies.

Change-Id: Ia0e853564955e0fbbe5a9e91a8b8924c703b1b02
2018-02-24 17:39:55 -05:00
portdirect
515494ca98 RBAC: Include release name in cluster roles to prevent collision
This PS includes the release name in the cluster role to prevent
colision if the chart is deployed multiple times in the same
cluster.

Change-Id: I7166e5ee25b3d4c89879393c5f84c869585a2681
2018-02-19 13:13:56 -06:00
Sean Eagan
641c79c902 Add deep merge utility to helm-toolkit
Adds "helm-toolkit.utils.merge" which is a replacement for the
upstream sprig "merge" function which didn't quite do what we
wanted, specifically it didn't merge slices, it just overrode
one with the other.  This PS also updates existing callsites
of the sprig merge with "helm-toolkit.utils.merge".

Change-Id: I456349558d4cf941d1bcb07fc76d0688b0a10782
2018-02-13 10:08:50 -06:00
Siri Kim
d9d2ba547a kube-state-metrics for kubernetes version 1.8
This PS is kube-state-metrics for kubernetes version 1.8.
Using kube-state-metrics:v1.2.0 image makes kube-state-
metric pod work properly. Also, gives authority to list
endpoints, persistentvolumes, and horizontalpodautoscalers
by adding them to clusterrole.

Change-Id: I705b29c321b0162740744afa8573dc6ae75bcc60
2018-01-29 05:45:57 +00:00
Steve Wilkerson
9ffc748979 helm-toolkit prometheus service annotation clean up
This adds checks for the fields in the service annotations for
prometheus, similar to the checks made for the pod annotations.
It also moves prometheus annotations under a prometheus: key
under a top-level monitoring tree to allow for other monitoring
mechanisms independent of the endpoints tree

Change-Id: I4be6d6ad8e74e8ca52bd224ceddad785577bf6c7
2018-01-16 20:35:50 +00:00
Steve Wilkerson
182c0c5618 Remove unneeded context in prometheus service annotation
Removes an unused context declaration from the prometheus service
annotation template in helm-toolkit, and removes all references to
it

Change-Id: I57612c1504cf046f367ee10d26ef3062ebe528d3
2018-01-12 08:28:48 -06:00
Tin Lam
628fd3007d RBAC: Consolidate serviceaccounts and restrict rbac
Currently, services have two serviceaccounts: one specified in the
chart that cannot read anything, and one injected via helm-toolkit
that can read everything. This patch set refactors the logic to:

- cleanup the roles and their binding automatically when the helm
  chart is deleted;
- remove the need to separately mount a serviceaccount  with secret;
- better handling of namespaces resource restriction.

Co-Authored-By: portdirect <pete@port.direct>

Change-Id: I47d41e0cad9b5b002f59fc9652bad2cc025538dc
2017-12-19 20:22:57 -05:00
Steve Wilkerson
938bce7370 Include prometheus- prefix for select monitoring charts
This adds the prometheus- prefix to the alertmanager,
kube-state-metrics and node exporter charts to reflect their
intended usage as part of a prometheus centric monitoring solution

This will imply a logical grouping of these components, similar to
their deployment in the osh-infra gates

Change-Id: I4f391a10b64389022f01a94ea3704c110f8f9bb5
2017-12-17 23:22:50 -05:00